Damien Miller
2024-Nov-26 21:25 UTC
[PATCH] sshsig: check hashalg before selecting the RSA signature algorithm
Sorry, this now been committed and will be in openssh-10.0 On Sat, 23 Nov 2024, Morten Linderud wrote:> Hi, > > I sent this patch back inn april and I still have a need for this. Would it be > possible to get any pointers how we can have `hashalg` selectable by `ssh-keygen -Y`? > > -- > Morten Linderud > PGP: 9C02FF419FECBE16 > > On Thu, Apr 11, 2024 at 09:16:39PM +0200, Morten Linderud wrote: > > `ssh-keygen -Y sign` only selects the signing algorithm `rsa-sha2-512` > > and this prevents ssh-agent implementations that can't support sha512 > > from signing messages. > > > > An example of this is TPMs which mostly only really supports sha256 > > widely. > > > > This change enables `ssh-keygen -Y sign` to honor the `hashalg` option > > for the signing algorithm. > > > > Signed-off-by: Morten Linderud <morten at linderud.pw> > > --- > > sshsig.c | 10 ++++++++-- > > 1 file changed, 8 insertions(+), 2 deletions(-) > > > > diff --git a/sshsig.c b/sshsig.c > > index 470b286a3..033b43353 100644 > > --- a/sshsig.c > > +++ b/sshsig.c > > @@ -190,8 +190,14 @@ sshsig_wrap_sign(struct sshkey *key, const char *hashalg, > > } > > > > /* If using RSA keys then default to a good signature algorithm */ > > - if (sshkey_type_plain(key->type) == KEY_RSA) > > - sign_alg = RSA_SIGN_ALG; > > + if (sshkey_type_plain(key->type) == KEY_RSA){ > > + if (hashalg == NULL) > > + sign_alg = RSA_SIGN_ALG; > > + else if (strcmp(hashalg, "sha256") == 0) > > + sign_alg = "rsa-sha2-256"; > > + else if (strcmp(hashalg, "sha512") == 0) > > + sign_alg = "rsa-sha2-512"; > > + } > > > > if (signer != NULL) { > > if ((r = signer(key, &sig, &slen, > > -- > > 2.44.0 > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >
Morten Linderud
2024-Nov-26 21:33 UTC
[PATCH] sshsig: check hashalg before selecting the RSA signature algorithm
Thank you! There is now two " XXX maybe make configurable " in the top of the file that is probably no longer relevant. Do you want a followup patch for that? Cheers, Morten Linderud On Wed, Nov 27, 2024 at 08:25:15AM +1100, Damien Miller wrote:> Sorry, this now been committed and will be in openssh-10.0 > > On Sat, 23 Nov 2024, Morten Linderud wrote: > > > Hi, > > > > I sent this patch back inn april and I still have a need for this. Would it be > > possible to get any pointers how we can have `hashalg` selectable by `ssh-keygen -Y`? > > > > -- > > Morten Linderud > > PGP: 9C02FF419FECBE16 > > > > On Thu, Apr 11, 2024 at 09:16:39PM +0200, Morten Linderud wrote: > > > `ssh-keygen -Y sign` only selects the signing algorithm `rsa-sha2-512` > > > and this prevents ssh-agent implementations that can't support sha512 > > > from signing messages. > > > > > > An example of this is TPMs which mostly only really supports sha256 > > > widely. > > > > > > This change enables `ssh-keygen -Y sign` to honor the `hashalg` option > > > for the signing algorithm. > > > > > > Signed-off-by: Morten Linderud <morten at linderud.pw> > > > --- > > > sshsig.c | 10 ++++++++-- > > > 1 file changed, 8 insertions(+), 2 deletions(-) > > > > > > diff --git a/sshsig.c b/sshsig.c > > > index 470b286a3..033b43353 100644 > > > --- a/sshsig.c > > > +++ b/sshsig.c > > > @@ -190,8 +190,14 @@ sshsig_wrap_sign(struct sshkey *key, const char *hashalg, > > > } > > > > > > /* If using RSA keys then default to a good signature algorithm */ > > > - if (sshkey_type_plain(key->type) == KEY_RSA) > > > - sign_alg = RSA_SIGN_ALG; > > > + if (sshkey_type_plain(key->type) == KEY_RSA){ > > > + if (hashalg == NULL) > > > + sign_alg = RSA_SIGN_ALG; > > > + else if (strcmp(hashalg, "sha256") == 0) > > > + sign_alg = "rsa-sha2-256"; > > > + else if (strcmp(hashalg, "sha512") == 0) > > > + sign_alg = "rsa-sha2-512"; > > > + } > > > > > > if (signer != NULL) { > > > if ((r = signer(key, &sig, &slen, > > > -- > > > 2.44.0 > > > _______________________________________________ > > > openssh-unix-dev mailing list > > > openssh-unix-dev at mindrot.org > > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Possibly Parallel Threads
- [PATCH] sshsig: check hashalg before selecting the RSA signature algorithm
- [PATCH] sshsig: check hashalg before selecting the RSA signature algorithm
- [PATCH] sshsig: check hashalg before selecting the RSA signature algorithm
- [PATCH] sshsig: check hashalg before selecting the RSA signature algorithm
- [PATCH] Clean up the regress directory with make clean